Cisco Identity Services Engine (ISE) - NIAP CCEVS · 1 Cisco Identity Services Engine (ISE) Common Criteria Operational User Guidance And Preparative Procedures Version 0.5 January

1

Cisco Identity Services Engine (ISE)

Common Criteria Operational User Guidance

And Preparative Procedures

Version 0.5

January 2017

2

Table of Contents

1. Introduction ............................................................................................................................. 7

1.1 Audience ......................................................................................................................... 7

1.2 Purpose ............................................................................................................................ 7

1.3 Document References ..................................................................................................... 7

1.4 Supported Hardware and Software ................................................................................. 7

1.5 Operational Environment ................................................................................................ 8

1.5.1 Supported non-TOE Hardware/ Software/ Firmware ................................................. 8

1.6 Excluded Functionality ................................................................................................... 8

2. Secure Acceptance of the TOE ............................................................................................. 10

3. Secure Installation and Configuration .................................................................................. 12

3.1 Physical Installation ...................................................................................................... 12

3.2 Initial Setup ................................................................................................................... 12

3.2.1 Options to be chosen during the initial setup of the ISE 2.0 ..................................... 12

3.2.2 Saving Configuration ................................................................................................ 12

3.2.3 Enabling FIPS Mode ................................................................................................. 13

3.2.4 Authentication Stores ................................................................................................ 13

3.2.5 Session Termination.................................................................................................. 13

3.3 Network Protocols and Cryptographic Settings ............................................................ 14

3.3.1 Remote Administration Protocols ............................................................................. 14

3.3.2 SSL/TLS Settings...................................................................................................... 15

3.3.3 Logging Configuration.............................................................................................. 26

3.3.4 SSH Public-Key Authentication ............................................................................... 26

3.3.5 Synchronizing Configurations Between TOE Iterations .......................................... 29

3.3.6 Logging Protection.................................................................................................... 30

4. Secure Management .............................................................................................................. 32

4.1 User Roles ..................................................................................................................... 32

4.2 Passwords ...................................................................................................................... 33

4.3 Clock Management ....................................................................................................... 33

4.4 Identification and Authentication ................................................................................. 34

4.5 Login Banners ............................................................................................................... 34

3

4.6 Verifying Software Version .......................................................................................... 35

4.7 Services on the Box ...................................................................................................... 36

4.8 Secure Connection Recovery ........................................................................................ 36

5. Security Relevant Events ...................................................................................................... 36

5.1 Viewing Audit Records................................................................................................. 52

5.2 Deleting Audit Records................................................................................................. 55

5.2.1 Local Logs Storage Settings and Deletion ................................................................ 55

5.2.2 External Platform Logs Storage Settings and Deletion ............................................ 56

6. Modes of Operation .............................................................................................................. 57

7. Security Measures for the Operational Environment............................................................ 59

8. Related Documentation ......................................................................................................... 61

8.1 World Wide Web .......................................................................................................... 61

8.2 Ordering Documentation .............................................................................................. 61

8.3 Documentation Feedback.............................................................................................. 61

9. Obtaining Technical Assistance ............................................................................................ 62

4

List of Tables

Table 1: Acronyms .......................................................................................................................... 5

Table 2: Cisco Documentation....................................................................................................... 7

Table 3: Operational Environment Components ............................................................................ 8

Table 4: Excluded Functionality ..................................................................................................... 8

Table 5: TOE External Identification ........................................................................................... 10

Table 6: Evaluated Software Images ........................................................................................... 11

Table 7: Firefox Settings ............................................................................................................... 17

Table 8: Default RBAC Menu Access Permissions ..................................................................... 32

Table 9: Auditable Events ............................................................................................................. 38

Table 10: Auditable Administrative Events .................................................................................. 45

Table 11: Operational Environment Security Measures ............................................................... 59

5

List of Acronyms

The following acronyms and abbreviations are used in this document:

Table 1: Acronyms

Acronyms / Abbreviations

Definition

AES Advanced Encryption Standard

FIPS Federal Information Processing Standards

HTTPS Hyper-Text Transport Protocol Secure

IP Internet Protocol

SSHv2 Secure Shell (version 2)

TCP Transport Control Protocol

TOE Target of Evaluation

6

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc.

170 West Tasman Dr.

San Jose, CA 95134

DOCUMENT INTRODUCTION

This document provides supporting evidence for an evaluation of a specific Target of Evaluation

(TOE), the Identity Services Engine (ISE) (also referred to as ISE 2.0 in this document). This

Operational User Guidance with Preparative Procedures addresses the administration of the TOE

software and hardware and describes how to install, configure, and maintain the TOE in the

Common Criteria evaluated configuration. Administrators of the TOE will be referred to as

administrators, Security administrators, TOE administrators, semi-privileged administrators, and

privileged administrators in this document.

7

1. Introduction This Operational User Guidance with Preparative Procedures documents the administration of

the Identity Services Engine (ISE), the TOE, as it was certified under Common Criteria. The

Identity Services Engine (ISE) may be referenced below as the 3400/3500 Series Appliances,

ISE 2.0 , TOE, or simply ISE.

1.1 Audience

This document is written for administrators configuring the TOE. This document assumes that

you are familiar with the basic concepts and terminologies used in internetworking, and

understand your network topology and the protocols that the devices in your network can use,

that you are a trusted individual, and that you are trained to use the operating systems on which

you are running your network.

1.2 Purpose

This document is the Operational User Guidance with Preparative Procedures for the Common

Criteria evaluation. It was written to highlight the specific TOE configuration and administrator

functions and interfaces that are necessary to configure and maintain the TOE in the evaluated

configuration. This document is not meant to detail specific actions performed by the

administrator but rather is a road map for identifying the appropriate locations within Cisco

documentation to get the specific details for configuring and maintaining ISE 2.0 operations.

1.3 Document References

This document makes reference to several Cisco Systems documents. The documents used are

shown below in Table 2. Throughout this document, the guides will be referred to by the “#”,

such as [1].

Table 2: Cisco Documentation

# Title Link

[1] Cisco Identity Services Engine

CLI Reference Guide, Release 2.0

http://www.cisco.com/c/en/us/td/docs/security/ise/2-

0/cli_ref_guide/b_ise_CLIReferenceGuide_20.pdf


Administrator Guide, Release 2.0


0/admin_guide/b_ise_admin_guide_20.pdf


Hardware Installation Guide,

Release 2.0


0/installation_guide/b_ise_InstallationGuide20.pdf


(ISE) Security Target N/A

1.4 Supported Hardware and Software

Only the hardware and software listed in section 1.7 of the Security Target (ST) is compliant

with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the

8

secure configuration. Likewise, using any software version other than the evaluated software

listed in the ST will invalidate the secure configuration. The TOE includes four hardware

options: Cisco Identity Services Engine Appliance 3415, Cisco Identity Services Engine

Appliance 3495, Cisco Identity Services Engine Appliance 3515 and Cisco Identity Services

Engine Appliance 3595. The network, on which they reside, is considered part of the

environment. The software comes pre-installed and is comprised of the ISE v2.0, running on

Cisco Application Deployment Engine (ADE) Release 2.4 operating system (ADE-OS).

1.5 Operational Environment

1.5.1 Supported non-TOE Hardware/ Software/ Firmware

The TOE supports (in some cases optionally) the following hardware, software, and firmware in

its environment: Table 3: Operational Environment Components

Component Required Usage/Purpose Description for TOE performance

Administrative

Console

Yes This console provides the connection to the ISE appliance for administration

and management. The console can connect directly to ISE or over the

network via a browser or SSHv2 connection.

The TOE supports the following browsers:

Mozilla Firefox version 39 and later

Google Chrome version 43 and later

Microsoft Internet Explorer 9.x, 10.x and 11.x - If using Internet

Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and

TLS 1.0 (Internet Options > Advanced.

Remote

Authentication

Store

No The TOE supports local authentication or authentication via a remote

authentication store, including LDAP and Active Directory.

Syslog Target Yes The TOE must offload syslogs to an external entity, which can be another

iteration of ISE or a syslog server that supports TLS-protected transfer.

9

1.6 Excluded Functionality Table 4: Excluded Functionality

Excluded Functionality Exclusion Rationale

Non-FIPS mode of operation This mode of operation includes non-FIPS

allowed operations.

All functionalities of Cisco ISE that have not

been described in Section Error! Reference

source not found. of [5]

These functionalities do not map to the NDcPP

requirements

Telnet for management purposes. Telnet passes authentication credentials in clear

text and is not supported by ISE for

management purposes. SSHv2 is to be used

instead.

These services will be disabled by configuration. The exclusion of this functionality does not

affect compliance to the U.S. Government Protection Profile for Security Requirements for

Network Devices, version 1.1.

10

2. Secure Acceptance of the TOE In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is

has not been tampered with during delivery.

Verify that the TOE software and hardware were not tampered with during delivery by

performing the following actions:

Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered

in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs.

If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco

distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the

tape that seals the package. If the package appears to have been resealed, contact the supplier of

the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded

label applied to the external cardboard box. If it does not, contact the supplier of the equipment

(Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco

product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the TOE on the shipping documentation. The serial number

displayed on the white label affixed to the outer box will be that of the device. Verify the serial

number on the shipping documentation matches the serial number on the separately mailed

invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or

an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment

(Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with

the supplier that they shipped the box with the courier company that delivered the box and that

the consignment note number for the shipment matches that used on the delivery. Also verify

that the serial numbers of the items shipped match the serial numbers of the items delivered. This

verification should be performed by some mechanism that was not involved in the actual

equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on

the unit itself matches the serial number on the shipping documentation and the invoice. If it

does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco

distributor/partner). Also verify that the unit has the following external identification as

described in Table 5 below.

Table 5: TOE External Identification

Product Name Model Number External Identification

ISE 2.0 3400 Series

3415

SNS-3415

3495

SNS-3495

11

Product Name Model Number External Identification

ISE 2.0 3500 Series 3515

SNS-3515

3595

SNS-3595

Step 7 Approved methods for obtaining a Common Criteria evaluated software images:

Download the Common Criteria evaluated software image file from Cisco.com onto a

trusted computer system. Software images are available from Cisco.com at the

following: http://www.cisco.com/cisco/software/navigator.html.

The TOE ships with the correct software images installed.

Step 8 Digital Signature mechanism is used to verify software/firmware update files (to ensure

they have not been modified from the originals distributed by Cisco) before they are used to

actually update the applicable TOE components. The updates can be downloaded from the

software.Cisco.com. The TOE image files are digitally signed so their integrity can be verified

during the boot process, and an image that fails an integrity check will not be loaded. The digital

certificates used by the update verification mechanism are contained on the TOE. If the digital

signature fails, contact Cisco Technical Assistance Center (TAC)

https://tools.cisco.com/ServiceRequestTool/create/launch.do.

Step 9 Install the downloaded and verified software image onto your ISE 2.0 as described in [1]

under patch install or in [2] under Install a Software Patch and the following sections.

Start your ISE 2.0 as described in [3] – Chapter 7. Confirm that your ISE 2.0 loads the image

correctly, completes internal self-checks and displays the cryptographic export warning on the

console.

Step 10 The end-user must confirm once the TOE has booted that they are indeed running the

evaluated version. Use the “show application version ise” command to display the currently

running software release version.

Table 6: Evaluated Software Images

Software Version Image Name

Cisco ISE Software Version 2.0.1 full installation. This ISO file

can be used for installing ISE on SNS-34x5 and SNS-35x5

Appliances as well as a VM installation on VMWare ESX/ESXi

5.x/6.x and KVM

ise-2.0.1.130.SPA.x86_64.iso

https://tools.cisco.com/ServiceRequestTool/create/launch.do

12

3. Secure Installation and Configuration

3.1 Physical Installation

For the appliance form-factor, follow the Cisco Identity Services Engine Hardware Installation

Guide, Release 2.0 [3] for hardware installation instructions.

3.2 Initial Setup

The ISE 2.0 must be given basic configuration via console connection prior to being connected

to any network.

3.2.1 Options to be chosen during the initial setup of the ISE 2.0

When you start to configure ISE via the CLI, a number of parameters must be configured. See

[3] under Installing and Configuring a Cisco SNS-3400/3500 Series Appliance -> Cisco ISE

Setup Program Parameters.

The exception to the information given in this section is that the password must meet the

requirements in the ST:

1. Passwords shall be able to be composed of any combination of upper and lower case

letters, numbers, and the following special characters: [“!”, “@”, “#”, “$”, “%”, “^”, “&”,

“*”, “(“, “)”];

2. Minimum password length shall be settable by the Security Administrator, and support

passwords of 15 characters or greater.

Additional setup via the HTTPS Graphical User Interface (GUI) is needed:

Administrator Password Policy: the policy may be set to enforce a minimum password

length of 15 characters:

a. Choose Administration > System > Admin Access > Authentication

b. Click the Password Policy tab.

c. On the Password Policy tab, change the Minimum Length field to 15.

d. Additional restrictions can be set per local company policy.

3.2.2 Saving Configuration

ISE uses both a running configuration and a starting configuration when working with the CLI.

Configuration changes affect the running configuration, in order to save that configuration the

running configuration (held in memory) must be copied to the startup configuration. This may be

achieved by either using the write memory command or the copy running-config startup-config

command. These commands should be used frequently when making changes to the

configuration of the TOE. If the TOE reboots and resumes operation when uncommitted changes

have been made, these changes will be lost and the TOE will revert to the last configuration

saved.

When working with the GUI, the configuration is automatically saved every time values are

entered and the “Save” button is used on each screen.

13

3.2.3 Enabling FIPS Mode

The TOE must be run in the FIPS mode of operation. The instructions to enable FIPS are under

the section – “Configure FIPS Mode on ISE” in the document -

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200535-FIPS-

Mode-on-ISE.html. No other mode of operation was tested and this limits Cisco ISE to only the

cryptographic operations claimed by the Common Criteria evaluation.

The TOE administrator must verify that a FIPS mode icon is displayed to the left of the node

name in the upper-right corner of the GUI screen. This indicates that the TOE is in FIPS mode.

3.2.4 Authentication Stores

The TOE by default uses local authentication stores for administrative identification and

authentication. Configuration of external authentication sources (for remote password

authentication) is covered in [2] under Managing Users and End-User Portals -> Managing Users

and External Identity Stores. This evaluation only covers authentication via the local (internal)

database, Active Directory, or LDAP.

3.2.5 Session Termination

Inactivity settings must trigger termination of the administrator session. These settings are

configurable by setting the Administration > System > Admin Access > Settings-> Session

Timeout setting in the GUI, which defines a session idle timeout period in minutes. After this

period elapses, the session times out and access is no longer possible during this session. The

administrator may re-initiate the login process to continue work.

For the CLI, this timeout is configured using the command:

terminal session-timeout minutes

After this period elapses at the CLI, the session times out and access is no longer possible during

this session. The administrator may re-initiate the login process to continue work. The

administrator may also resume the access from the previous session by selecting that session

after successful authentication and establishment of a new session. See the screen shot below for

the options given. Selection of both starts a new administrative session with a new inactivity

timer.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200535-FIPS-Mode-on-ISE.html

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200535-FIPS-Mode-on-ISE.html

14

Configuration of these settings is limited to the CLI administrator and Super Admin and System

Admin group roles on the GUI (see Section 4.1). Each administrator logged onto the TOE can

manually terminate his/her session using the “Log Out” link in the web-based GUI or the “exit”

or “forceout <username>” commands at the CLI.

3.3 Network Protocols and Cryptographic Settings

3.3.1 Remote Administration Protocols

ISE provides two ways to manage the TOE remotely:

SSHv2 must be used. Once FIPS mode is enabled as described in Enabling FIPS

Mode above, SSHv2 is the only SSH version allowed. Telnet is not allowed for

management purposes.

o To enforce the required AES-CBC 128 bit or AES-CBC 256 bit cipher

requirement and SHA macs when connecting to the TOE, the SSH client must

request these algorithms. On Linux-based systems this is done with the following

SSH syntax:

ssh -2 –c [aes128-cbc or aes256-cbc] –m [sha macs]

Note: The hashing method ‘none’ is NOT to be used in the evaluated

configuration.

15

o To enable SSH, the CLI admin must enter the following commands from the

Cisco ISE Command-Line Interface (CLI) Configuration Mode:

service sshd enable

o To enforce the required Diffie-Hellman-Group14-SHA1 SSH key exchanges, the

CLI admin must enter the following commands from the Cisco ISE Command-

Line Interface (CLI) Configuration Mode:

service sshd key-exchange-algorithm diffie-hellman-group14-sha1

HTTPS must be used for connections to the administrative GUI. Note that when

connecting to the GUI, both port 80 (HTTP) and 443 (HTTPS) are listening, but port

80 by default is redirected to port 443. This setting cannot be changed.

It is the administrator’s responsibility to configure their HTTPS client per the

SSL/TLS Settings in Section 3.3.2.

See Appendix B -> Cisco ISE Ports Reference in [3] for more information on the available ports

and interfaces.

3.3.2 SSL/TLS Settings

The evaluated configuration requires that when connecting to the TOE over TLS1.1 or TLS1.2

must be used with one of the following algorithms.

a. TLS_RSA_WITH_AES_128_CBC_SHA

b. TLS_RSA_WITH_AES_256_CBC_SHA

c. TLS_DHE_RSA_WITH_AES_128_CBC_SHA

d. TLS_DHE_RSA_WITH_AES_256_CBC_SHA

e. TLS_RSA_WITH_AES_128_CBC_SHA256

f. TLS_RSA_WITH_AES_256_CBC_ SHA256

The SSL/TLS client must be configured for one or more of the above algorithms. See the

documentation for your browser for the specific configuration settings. Enabling FIPS mode in

the TOE is the first step to limiting the TLS versions supported to v1.1 and 1.2 and also limits

the allowed ciphersuites to the list claimed in the FCS_TLSS_EXT.1.1 SFR of the ST. The next

step is to uncheck the “Enable TLS 1.0 only for legacy clients” checkbox and check the ‘Enable

SHA-1 only for legacy clients” checkbox. This will allow ISE as TLS client to LDAPS servers to

only support TLS v1.1 and TLS v1.2.

Menu: Administration > System > Settings

Left-side navigation: Protocols > Security Settings:

16

Firefox Example Configuration

For Firefox, you should open Firefox > Preferences > and select Use TLS 1.1/1.2. Next type

“about:config” in the address bar. A warning will come up about changing these settings. Do a

search on security and you will see the algorithms listed as: security.ssl3.rsa_aes_128_sha. In

order to only enable the mandatory ciphersuites the other non-standard ciphersuites must be

disabled in the browser. Double click on each ciphersuite that must be disabled and the Value

will turn to false. See Table 7 below for details.

17

Table 7: Firefox Settings

Internet Explorer Example Configuration

To verify TLS is configured Open Internet Explorer > Tools > Internet Options > Advanced –

Scroll Down to Security – select TLS 1.1/1/2.

In order to prioritize the ciphersuites that internet explorer uses > Start > Run ‘gpedit.msc’

18

The Local Group Policy Editor will open, then click on > Local Computer Policy > Computer

Configuration > Administrative Templates > Network > SSL Configuration Settings – Double

click on the SSL Cipher Suite Order > Click Edit Policy

Steps to Edit the SSL Cipher Suite Order

1. Click on the Enabled radio button.

2. The current cipher suites will be listed under the heading SSL Cipher Suites

3. Copy these into a notepad document and save them as a backup.

4. Open a new blank notepad document

5. Enter the following mandatory ciphersuites:

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

6. Place a comma at the end of every suite name except the last. Make sure there are NO

embedded spaces.

7. Remove all the line breaks so that the cipher suite names are on a single, long line.

8. Copy the above ciphersuites (from step 5) and paste into the box that previously had the listing

of all supported TLS ciphersuites. The maximum length is 1023 characters.

9. It is necessary to restart the computer after modifying this setting for the changes to take

effect.

10. As a reference the following web page was used for these instructions:

http://msdn.microsoft.com/en-

us/library/windows/desktop/bb870930%28v=vs.85%29.aspx#adding__removing__and_prioritizi

ng_cipher_suites

Instructions for Setting the Reference Identifier for Certificate Validation in TLS:

When the TOE acts as a TLS client to LDAPS servers, it obtains the reference identifiers

from the administrator configured value in the LDAP Identity Source Hostname/IP field.

(Administration application. Menu: Administration > Identity Management > External

Identity Sources. Left-Navigation: LDAP. “Connection” tab. Hostname/IP field)

When the TOE acts as a TLS client to TLS Secure Syslog servers, it obtains the reference

identifiers from the administrator configured value in the Remote Logging Targets

IP/Host Address field. (Administration application. Menu: Administration > System >

Logging. Left-Navigation: Remote Logging Targets. IP/Host Address field)

The TOE supports the following presented identifier types:

1. subjectAltName entry of type dNSName (DNS-ID in RFC 6125)

2. CN-ID as defined in RFC 6125 exact case-sensitive match only (i.e., no wildcards

supported in CN-ID)

http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930%28v=vs.85%29.aspx#adding__removing__and_prioritizing_cipher_suites



19

3. subjectAltName entry of type iPAddress; and

4. Wildcards in left-most label subjectAltName entry of type dNSName.

Certificate pinning is unsupported by the TOE.

Certificate Signing Requests :

The detailed instructions to request signed certificate from a CA are listed in the Section –

“Certificate Signing Requests” in Chapter 7 of [2].

Steps for Configuring the Client-side Certificates for TLS Authentication:

The following two steps are required to configure the client-side certificates for TLS

authentication -

1. The TLS server Certificate Authority certificates for the TOE Administration application,

the LDAPS Server and the Secure Syslog Audit Server must be imported into the

“Trusted Certificates” data store. When importing the Trusted Certificate Authority

certificate(s), all of the following must be configured:

a) The checkbox “Validate Certificate Extensions” must be checked.

b) The “Trusted For:” fields must be configured as follows: Check the checkbox “Trust

for client authentication and Syslog” when the TOE acts as a Secure Syslog client to a

Secure Syslog Server and the Trusted Certificate Authority certificate is for the

Secure Syslog Server. When the HTTPS client’s certificate authority certificate is

being used to authenticate to the TOE using client-certificate authentication, the

Certificate Authority Certificate must have the “Trusted for client authentication and

Syslog” checkbox checked.

c) Check the checkbox “Trust for authentication within ISE” when the Certificate

Authority certificate is for the non-TOE LDAPS Server.

2. The configured TOE Server certificate for usage “EAP Authentication” must contain one

of the supported RFC 6125 reference identifiers as configured on the LDAPS Server(s)

and Secure Syslog Audit Server(s).

When the TOE acts as a TLS client to LDAPS servers, it obtains the RFC 6125 reference

identifiers from the administrator configured value in the LDAP Identity Source

Hostname/IP field. (Administration application. Menu: Administration > Identity

Management > External Identity Sources. Left-Navigation: LDAP. “Connection” tab.

Hostname/IP field)

When the TOE acts as a TLS client to TLS Secure Syslog servers, it obtains the reference

identifiers from the administrator configured value in the Remote Logging Targets

IP/Host Address field. (Administration application. Menu: Administration > System >

Logging. Left-Navigation: Remote Logging Targets. IP/Host Address field).

20

The TOE supports the following presented identifier types:

a) subjectAltName entry of type dNSName (DNS-ID in RFC 6125)

b) CN-ID as defined in RFC 6125,

c) subjectAltName entry of type iPAddress; and

d) Wildcards in DNS domain names.

Certificate pinning is unsupported by the TOE.

When ISE acts as a TLS server, it has no prior knowledge of the domain name and IP address of

clients connecting to it. Server Identity verification methods as described in RFC 6125, RFC

2818 and other RFCs are intended more for client’s verification of server identity through

reference identifiers to avoid man-in-the-middle attacks.

ISE will disallow importing ISE certificates with 1024 bit RSA key sizes when ISE is in FIPS

mode. For Diffie-Hellman parameter size of 2048 bits, configuring ISE into FIPS mode

automatically always sets the TLS server ISE Administration application to use Diffie-Hellman

parameter size of 2048 bits.

Steps for Configuring X.509 Certificate Revocation

When ISE (TOE) acts as a TLS client to Secure Syslog Audit Servers, Certificate Revocation

List (CRL) servers must be configured for each of the Intermediate and Trust Anchor Root

Certificate Authorities. The Certificate Revocation List information in the X.509 CRL

Distribution Points extension is not used. Certificate revocation using OCSP responders is

unsupported. when ISE acts as a TLS client to Secure Syslog Audit Servers. The steps for

configuring Certificate Revocation Lists are detailed below in the section “Steps for Configuring

X.509 Certificate Revocation using Certificate Revocation Lists (CRLs)”.

When ISE (TOE) acts as a TLS client to LDAP Over TLS (LDAPS) servers, the Administrator

may configure revocation checks to OCSP responder(s) and/or CRL server(s). When both OCSP

responder and CRL servers are configured, OCSP responder(s) are used to retrieve the certificate

revocation status and if a status determination cannot be made, then the CRL server(s)

configured are used to check revocation status. For OCSP the Administrator may either

configure the OCSP responder information or configure to use the OCSP responder information

contained in the certificate’s Authority Information Access (AIA) Extension. For CRL

Certificate Revocation List (CRL) servers must be configured for each of the Intermediate and

Trust Anchor Root Certificate Authorities. The Certificate Revocation List information in the

X.509 CRL Distribution Points extension is not used. The steps for configuring OCSP are

detailed below in the section “Steps for Configuring X.509 Certificate Revocation using Online

Certificate Status Protocol (OCSP)”. The steps for configuring Certificate Revocation Lists are

detailed below in the section “Steps for Configuring X.509 Certificate Revocation using

Certificate Revocation Lists (CRLs)”.

21

Steps for Configuring X.509 Certificate Revocation using Certificate Revocation Lists

(CRLs)

Configure the CRL information for all Intermediate and Trust Anchor Root Certificate Authority

certificates

Select Menu: Administration > System > Certificates

Left-Side: Select Certificate Management > Trusted Certificates

For each Intermediate Certificate Authority and Trusted Anchor Root Certificate Authority,

import the X.509 certificate and complete the following fields:

Check the checkbox “Download CRL”

Enter the URL to the CRL file in the “CRL Distribution URL” field

Leave the checkboxes unchecked for “Bypass CRL Verification if CRL is not Received” and

“Ignore that CRL is not yet valid or expired”.

Press the “Save” button on each of the Trusted Certificate setting pages.

EXAMPLE:

22

Steps for Configuring X.509 Certificate Revocation using Online Certificate Status

Protocol (OCSP) responders

1. Configure the OCSP Responder


Left-Side: Select Certificate Management > OCSP Client Profile

Enter Administrator defined values for the Name and Description fields.

To use the OCSP Responder information contained in the X.509 Authority Information Access

(AIA) extension, check the radio button for “Use OCSP URLs specified in Authority

Information Access (AIA)”.

23

Check the checkbox for “Enable Nonce Extension Support” when your OCSP responder uses

Nonces.

Check the checkbox for “Validate Response Signature”.

Scroll down and press the “Submit” button to save the configuration. Continue to Step 2.

EXAMPLE: Screen shot showing a configuration using the OCSP URLs specified in the

Authority Information Access (AIA) extension.

To enter the OCSP Responder information, overriding any OCSP URLs contained in the X.509

Authority Information Access (AIA) extension, complete the following fields:

Primary Server

URL:

24

Check the checkbox “Enable Nonce Extension Support” if your OCSP

responder is configured to use Nonces.

Check the checkbox “Validate Response Signature”

Optionally an Administrator may configure a secondary OCSP responder that is used if the

Primary OCSP Responder is unreachable.

To configure a secondary OCSP responder,

1. check the “Enable Secondary Server” checkbox

2. Enter the Secondary Server OCSP Responder URL. Check the checkbox “Enable

Nonce Extension Support” when the OCSP responder uses nonces. Check the

checkbox “Validate Response Signature”

Scroll down and click the “Submit” button to save the settings.

EXAMPLE:

25

2. Configure the OCSP responder for all Intermediate and Trust Anchor Root Certificate

Authority certificates


Left-Side: Select Certificate Management > Trusted Certificates

For each Intermediate Certificate Authority and Trusted Anchor Root Certificate Authority,

import the X.509 certificate and complete the following fields:

Check the checkbox “Validate against OCSP Server” and pulldown the name of the OCSP Client

Profile created in step 1.

Check the checkboxes “Reject the request if OCSP returns UNKNOWN status” and “Reject the

request if OCSP Responder is unreachable”.

Click the “Save” button to save the settings.

EXAMPLE:

26

3.3.3 Logging Configuration

The TOE includes logging of all Identification & Authentication and relevant administrator

actions at the CLI & GUI by default, but in order to log session idle timeouts (FTA_SSL.3), a

debug level must be set:

1. In the GUI choose Administration > System > Logging.

2. Click Logging > Debug Log Configuration from the navigation panel on the left.

3. Click the radio button 'admin-infra' then click 'Edit'.

4. Change the Log Level pulldown value to 'DEBUG'.

5. Press 'Save' button.

6. Click the radio button ‘infrastructure' then click 'Edit'.

7. Change the Log Level pulldown value to 'DEBUG'.

8. Press 'Save' button.

3.3.4 SSH Public-Key Authentication

To configure SSH public key authentication to the command line interface (CLI), run these

commands in this section on each ISE node –

27

1. Create a CLI user -

Login to the CLI as an admin-role user.

Run the Global Configuration username command.

Example showing creation of username foobar with admin-role access.

hostname/userid# configure terminal

hostname/userid(config)# username foobar password plain PggZyTzsJVVXp9N role admin

hostname/userid(config)# end

hostname/userid# copy running-config startup-config

2. Generate SSH RSA keypair for the CLI user created in step 1.

On a non-TOE host generate a SSH RSA keypair using the OpenSSH 'ssh-keygen' program or a

suitable alternative that can format the public key in the format produced by OpenSSH.

EXAMPLE showing a SSH RSA keypair created for user foobar with 4096 bits

# /usr/bin/ssh-keygen -v -b 4096 -t rsa -N K99CNYM8tQP2F8M -C foobar@ise-administration-

node -f /home/foobar/foobar_ise-administration-node.key

Generating public/private rsa key pair.

Your identification has been saved in /home/foobar/foobar_ise-administration-node.key.

Your public key has been saved in /home/foobar/foobar_ise-administration-node.key.pub.

The key fingerprint is:

6f:af:8c:f3:1b:6f:e0:16:22:30:22:ae:da:96:0c:46 foobar@ise-administration-node

The key's randomart image is:

+--[ RSA 4096]----+

| |

| |

| |

|.E. o |

|o. . o S |

|.o . ..o |

|oo . . o+o |

|..+ .+o+. |

|o.. .+=+o |

28

+-----------------+

3. Copy the public key file to a server reachable by the ISE node (TOE)

For example copy the public key file to a SFTP server location.

# cd /home/foobar

# scp foobar_ise-administration-node.key.pub sftpuser@sftp-server:/home/sftpuser/pub/

sftpuser@sftp-server's password:

foobar_ise-administration-node.key.pub 100% 752 0.7KB/s 00:00

4. Using a web browser, login to the ISE Primary Administration Node as a SuperAdmin

role user and configure an ISE 'repository' to enable ISE to retrieve the public key file

from the SFTP server.

Navigate to:

Menu: Administration > System > Maintenance

Left-Side: select 'Repository'

Content: Click 'Add' button.

Repository Name: <Customer Defined Name of Repository>

Protocol: select SFTP or other desired protocol

Location:

Server Name: <hostname or IPv4 address of SFTP server>

Path: <path where the SFTP Username provided in the subsequent

fields has Read access and where the SSH RSA public key was copied in step 3>

Credentials:

User Name: <userid of SFTP server>

Password: <password for userid on SFTP server>

Click 'Submit' button to save values

5. Add SFTP server host key

Logon as an admin-role user to the CLI of the ISE node where the CLI user was created in step

1.

Run the EXEC command 'crypto host_key add host <FQDN or IPv4 address>'

hostname/userid# crypto host_key add host <FQDN or IPv4 address> where <FQDN or IPv4

address> MUST match the value configured under the SFTP Repository 'Server Name' field

value.

29

6. Authorize the use of the public key for the user created in step 1.

Login to the ISE Command Line Interface (CLI) as the user created in step 1 using the

password authentication method.

Add the SFTP server host key

Run the EXEC command 'crypto host_key add host <FQDN or IPv4 address>'

hostname/userid# crypto host_key add host <FQDN or IPv4 address> where <FQDN or

IPv4 address> MUST match the value configured under the SFTP Repository 'Server

Name' field value.

Verify that the SSH RSA public key file is accessible from the ISE SFTP client.

hostname/userid# show repository sftp | include foobar

foobar_ise-administration-node.key.pub

The foobar_ise-administration-node.key.pub filename output after the command indicates

that the public key file in the example is present at the SFTP server and the ISE SFTP

client is able to perform a file listing for the file.

Authorize the public key for user

Run the 'crypto key import <public key filename> repository <repository name>'

command to authorize use of the SSH RSA public key in the <public key filename> for

the currently logged in CLI user.

EXAMPLE:

hostname/foobar# crypto key import foobar_ise-administration-node.key.pub repository

sftp

Verify the authorized SSH RSA public key for the user by running the CLI command

'show crypto authorized_keys'

EXAMPLE:

hostname/foobar# show crypto authorized_keys

Authorized keys for foobar

ssh-rsa 6f:af:8c:f3:1b:6f:e0:16:22:30:22:ae:da:96:0c:46 foobar@ise-administration-node

hostname/foobar#

7. Using a non-TOE SSH client with the private key generated from Step 2 authenticate to

the ISE SSH server using public key authentication.

3.3.5 Synchronizing Configurations Between TOE Iterations

The TOE includes the ability to run ISE in a distributed installation, where multiple ISE devices

connect to share logs and configuration data. To configure the TOE in this manner follow [2]

30

under Deploy Cisco ISE Nodes -> Set Up Cisco ISE in a Distributed Environment. In this

configuration, TLS is used by default to secure the connection with the exception of syslog

transfer. To rectify this, the administrator must configure the logging protection as defined in

Section 3.3.6 below.

3.3.6 Logging Protection

If an Security administrator wants to backup the logs between iterations of ISE, or send events to

another IT entity, then protection must be provided for the communications. This requires that

the TLS remote logging target be created and that UDP syslog be removed.

To configure ISE to send secure syslog to a log collector:


2. Click Remote Logging Targets from the navigation pane on the left.

a. Click Add.

b. Enter the desired fields for the new Remote Secure Syslog Receiver, including

Name & IP Address or Fully Qualified Hostname

In the IP/Host Address field enter the Fully Qualified Hostname when the Secure

Syslog Server’s X.509 certificate contains a subjectAltName extension of type

dNSName or when the subject Common Name value contains the fully qualified

domain name of the Secure Syslog Server.

In the IP/Host Address field enter the IPv4 address when the Secure Syslog

Server’s X.509 certificate contains a subjectAltName extension of type

iPAddress.

c. Change the pulldown menu for the Target Type to Secure Syslog.

d. Confirm that the port is set to the default standard Secure Syslog port: TCP 6514.

e. Click the checkmark next to Buffer Messages When Server Down.

f. Click the checkmark next to Enable Server Identity Check

g. Change the pulldown menu for the Select CA Certificate to the Certificate

Authority certificate for the Secure Syslog server.

h. Leave other fields at their default value.

i. Ensure that the checkbox for “Include Alarms for this Target” remains unchecked.

If this box gets checked, it will result in UDP insecure Alarms being sent.

31

j. Click Submit.

After the ‘Submit’ is clicked, the newly added syslog node appears in the table of Remote

Logging Targets. By default upon adding the Remote Logging Target the Remote Logging

Target is Enabled. However, syslog messages are unsent to this Remote Logging Target until

the administrator has configured which type of logging audit records desired. The next set of

steps describes how to control what types of audit record syslog messages get sent to the Remote

Logging Target just added:


2. Click Logging Categories from the navigation pane on the left.

3. For every radio button do the following:

a. Click radio button

b. Click Edit.

c. Select the Name of the secure Remote Logging Target configured above under the

Targets -> Available box (left side), and press the > button to move it to the

Selected box.

d. Click Save.

Set up Cisco peer ISE nodes to receive secure syslog (another iteration of ISE):


2. Click Remote Logging Targets from the navigation panel on the left.

3. Disable the LogCollector.

e. Click the LogCollector radio button.

f. Click Edit.

g. Choose Disabled from the Status drop-down list box.

h. Examine list of log collectors to determine if an additional UDP collector exists

(LogCollector2), and if so, repeat steps a-c for that entry.

i. Click Save.

2. Enable the Secure Syslog Collector.

a. Click the TCPLogCollector radio button.

b. Click Edit.

c. Choose Enabled from the Status drop-down list box.

d. Click Save.

Other TLS-capable syslog targets can also be used as logging targets. Kiwi-syslog is an example

of a syslog server that is supports this functionality.

32

4. Secure Management

4.1 User Roles

The ISE 2.0 TOE by default has multiple supported administrative group roles that compose the

Security administrator role described in the Security Target [5]. The TOE also allows for

customization of other roles. The GUI roles and their configuration are covered in [2] under

Setting Up Cisco ISE Management Access -> Managing Administrators and Admin Access

Policies -> Cisco ISE Administrator Groups. The access table below is provided for reference.

Note that not all commands and menus are relevant to the TSF. Those that are have been

referenced elsewhere in this document.

In addition to this table, all authenticated GUI roles have access to the Home Tab, where access

is given to the following functionality:

Ability to acknowledge alarms. Thus dismissing these alarms for other

administrative users. NOTE: the configuration changes are still present in the

Configuration Changes Audit report.

See the splash window that indicates if the version is an ISE Evaluation Copy

View the post-login banner

View the status of each of the ISE nodes, CPU, memory and latency

View alarms, including the ability to view the details for some alarms.

e.g., viewing the details on Configuration Changes in the Configuration Audit Detail are

possible for all authenticated users.

View number of pass and failed end-user/ device authentications

View number of profiled endpoints

Refer to [1] for available commands and associated roles and privilege levels at the CLI.

Warning: Usage of the Super Admin role, which has access to all functionality, should be

limited after installation, and users should be granted roles that give the least privilege necessary

to accomplish their work.

Table 8: Default RBAC Menu Access Permissions

Menu Access Name RBAC Group Permissible Set of Menu

Items

Super Admin Menu Access Super Admin • Operations > All menu items

• Policy > All menu items

• Administration > All menu

items

Policy Admin Menu Access Policy Admin • Operations > All menu items

• Policy > All menu items

• Administration >

– Identity Management > All

menu items

– System > Settings

33

Helpdesk Admin Menu

Access

Helpdesk Admin • Operations > All menu items

Identity Admin Menu Access Identity Admin • Operations > All menu items


– Identity Management > All

menu items

Network Admin Menu

Access

Network Device Admin • Operations > All menu items


– Network Resources > All

menu items

System Admin Menu Access System Admin • Operations >

Authentication, Alarms,

Reports, and Troubleshoot


– System > All menu items

RBAC Admin Menu Access RBAC Admin • Operations > All menu items


– Admin Access > All menu

items

MnT Admin Menu Access MnT (Monitoring) Admin • Operations > All menu items

4.2 Passwords

To prevent administrators from choosing insecure passwords, each password must meet the

following requirements:

At least 15 characters long

Composed of any combination of characters that includes characters for at least 3 of

these four character sets: upper case letters, lower case letters, numbers, and the

following special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”

At: Administration > System > Admin Access > Authentication, the password length can be set

as well as additional password policies, such as enforcing the use of multiple character sets.

Configuration of password policies is limited to the Super Admin and System Admin group roles

on the GUI.

4.3 Clock Management

For instructions to manually set the local hardware clock, refer to the clock command in [1].

Configuration of clock settings is limited to the CLI administrator and Super Admin and System

Admin group roles on the GUI.

34

4.4 Identification and Authentication

Configuration of Identification and Authentication settings is restricted to the CLI administrator

and Identity Admin, Super Admin, and System Admin group roles on the GUI.

The ISE 2.0 can be configured to use the following authentication methods:

Remote authentication (Active Directory and LDAP)

o Refer to “Authentication Stores” elsewhere in this document for more details.

o Requires user to provide correct username and password combination to

authenticate

Local authentication

o administrative password - Requires user to provide correct username and

password combination to authenticate

o public-key based - Requires user to provide correct username and private key

combination to authenticate

4.5 Login Banners

The TOE may be configured at the GUI by the System admin and Super admin with pre-login

banners for both the CLI and the GUI. These banners will be displayed before the username and

password prompts, and by default, they will say “Authorized users only!”. To customize the

banner with the required text for your organization, go to the Administration > System > Admin

Access > Settings > Access page and do the following:

1. On the left-side menu, double-click on "Settings" then double-click on "Access".

2. Under the GUI Sessions section, check the radio button to the left of "Pre-login banner".

3. Fill in the field with the required banner text for your organization, up to a 1520 character

maximum.

4. Under the CLI Sessions section, check the radio button to the left of "Pre-login banner".

5. Fill in the field with the required banner text for your organization, up to a 1520 character

maximum.

6. Press the 'Save' button to commit the changes made in steps 1.3 and 1.4.

The CLI banner may also be configured by the CLI admin using the following commands:

# banner install pre-login <filename> repository <reponame>

where filename is the file that contains the banner, and reponame is the location of the

file. The command ‘banner remove pre-login’ can be used to remove the banner.

The GUI banner will look like the following when configured:

35

The SSH banner will look like the following when the CLI banner is configured:

ssh admin@generic-domain

Authorized users only!

admin@generic-domain 's password:

Last login: Thu Feb 23 20:23:11 2012 from host-lnx2.generic-domain.com

generic-domain/admin#

4.6 Verifying Software Version

The TOE allows for the CLI administrator to verify the version of software running by entering

the command

show application version ise

The console displays information similar to the following screen. The version must be 2.0.1 to be

in the evaluated configuration.

To check the Cisco Application Deployment Engine (ADE) Release 2.4 operating system (ADE-

OS) version, at the system prompt, enter the command

show version

The console displays an output similar to the following:

Cisco Application Deployment Engine OS Release: 2.4

ADE-OS Build Version: 2.4.0.147

36

4.7 Services on the Box

Appendix B -> Cisco ISE 3400/3500 Series Appliance Ports Reference for the list of Services

running on ISE and their available ports and interfaces.

4.8 Secure Connection Recovery

In the event of failure of the secure connections used by the TOE the following should be done:

1. TOE to TOE for audit data and configuration data: the secure connection will re-

establish once a connection is available again between iterations of the TOE. The

administrator should confirm connection settings are still correct for each TOE iteration

per Section 3.3.5, above.

2. TOE to LDAP (and ActiveDirectory): the secure connection will re-establish once a

connection is available again between the TOE and the remote authentication server. The

administrator should confirm connection settings are still correct per [2] as referenced in

Section 3.2.4, above.

3. TOE to Syslog server: When the optional ISE Remote Logging Target configuration

field Buffer Messages When Server Down field is checked on a Remote Logging

target, during failure to reach Secure Syslog servers, the audit data is not lost as the audit

records are stored and forwarded as soon as communications is re-established in a store-

and-forward manner. When the Buffer Messages when Server Down field is unchecked,

audit records may be lost during the period in which secure communications was lost to

any Secure Syslog server.

5. Security Relevant Events ISE 2.0 can maintain logs in multiple locations: local storage of the generated audit records, and

when configured for a syslog backup will simultaneously offload those events to a peer

instantiation of ISE or a different log server. ISE 2.0 administrators should review logs at both

locations. Instructions for viewing logs are found in Section 5.1 below.

Audit events are simultaneously sent to the external server and the local store upon creation. If

the external server is not available the TOE will buffer events until they can be sent.

The audit fields in each audit event will contain at a minimum the following:

Example event: 2013-03-16 01:32:21.512 +00:00 0000000997 60079 NOTICE

Administrator-Login: A failure to establish an SSL session was detected,

ConfigVersionId=4, AdminIPAddress=10.34.84.155, OperationMessageText=no cipher

suites in common, PortNumber=443]

Date: In year-month-day format: 2013-03-16

Time: In hour:minute:second:millisecond format:01:32:21.512

Type of event: Administrator-Login

37

Subject identity: Available when the action is run by an authorized TOE administrator user such

as “user: lab”. In cases where the audit event is not associated with an authorized user, an IP

address may be provided for the Non-TOE endpoint and/ or TOE.

IP address: (Optional) May be provided along with the subject identity of a specific authorized

TOE administrator: AdminIPAddress=10.34.84.155.

Port number: (Optional) May be provided along with the IP address for connections to the box:

PortNumber=443.

Outcome (Success or Failure): Success may be explicitly stated with “success” or “passed”

contained within the audit event or is implicit in that there is not a failure or error message.

More specifically for failed logins, “authentication failed” will appear in the audit event. For

successful logins, “authentication succeeded” will appear in the associated audit event. For

failed events “failure” will be denoted in the audit event. For other audit events a detailed

description of the outcome may be given in lieu of an explicit success or failure. For example,

for termination of an SSH session a detailed description is given in the associated audit event:

“Received disconnect from 10.34.85.13: 11: Closed due to user request.”

Additional Audit Information: As described in Column 3 of Table 9 below.

As noted above, the information includes at least all of the required information. Example audit

events are included below by Security Functional Requirement.

Audit events can also be viewed at the GUI, where they are displayed with field labels that

closely correspond to the required logging fields in the NDcPP. Following is an example log

from the Configuration Audit Log that tracks changes made to the TOE by an administrator.

In this example, the date and time are in the ‘Logged At’ field; the type of event is in the ‘Object

Type’ field; the subject identity is in the ‘Administrator’ field; and the outcome is in the ‘Event’

field where it is noted that the configuration was changed. No event would be generated in this

log for failed configuration attempts due to the nature of the GUI. Privileges that are not granted

38

to an administrator role do not even appear on their screen as an option, thus they have no access

to them.

Table 9: Auditable Events

Requirement Auditable

Events

Additional Audit

Record Contents

Sample Record and Location

FCS_HTTPS_EXT.1 Failure to establish

a HTTPS Session.

Reason for failure.

Failure to establish a HTTPS Session:

Viewed with: show logging application

localStore/iseLocalStore.log tail:

2013-03-16 01:32:21.512 +00:00 0000000997

60079 NOTICE Administrator-Login: A failure

to establish an SSL session was detected,

ConfigVersionId=4,

AdminIPAddress=10.34.84.155,

OperationMessageText=no cipher suites in

common, PortNumber=443

FCS_TLSS_EXT.1/

FCS_TLSC_EXT.1

Failure to establish

a TLS Session

Reason for failure

Failure to establish a TLS Session:



2013-03-16 01:32:21.512 +00:00 0000000997

60079 NOTICE Administrator-Login: A failure

to establish an SSL session was detected,

ConfigVersionId=4,


OperationMessageText=no cipher suites in

common, PortNumber=443

Jul 1 21:10:47 ise3515

CISE_Administrative_and_Operational_Audit

0000000028 1 0 2016-07-01 21:10:47.027

+00:00 0000218136 60180 NOTICE System-

Management: Syslog server Identity check

failed, ConfigVersionId=88,

OperationMessageText=Secure communication

with syslog server at 172.23.88.56:26514 -

server identity check failed.,

FCS_SSHS_EXT.1 Failure to establish

an SSH session

Successful SSH

rekey

Reason for failure

Non-TOE endpoint of

connection (IP Address)

Failure to establish an SSH Session:



2013-12-19 06:29:11.105 +00:00 0000001012

60188 NOTICE Administrator-Login: An

attempted SSH connection has failed,

ConfigVersionId=5, AdminInterface=CLI,

OperationMessageText=Invalid user

NonExistentUser from 172.23.88.56,

AcsInstance=sec-sns-3495,

39


Events

Additional Audit

Record Contents


Establishment of an SSH Session:



2013-07-18 21:34:15.419 +00:00 0000001210

60080 NOTICE Administrator-Login: A SSH

CLI user has successfully logged in,


OperationMessageText=Accepted password for

martinf43 from 10.21.167.148 port 8836 ssh2,


FIA_UIA_EXT.1 All use of the

identification and

authentication

mechanism.

Provided user identity,

origin of the attempt

(e.g., IP address).

GUI with Username/Password - SUCCESS:



2013-03-12 23:06:15.252 +00:00 0000000210

51001 NOTICE Administrator-Login:

Administrator authentication succeeded,

ConfigVersionId=4, AdminInterface=GUI,

Admin IPAddress=10.154.25.7,

AdminSession=2A8E11B8CBBEA152C1D7D7

8811A8D113, AdminName=admin43,

OperationMessageText=Administrator

authentication successful,

GUI with Username/Password - FAILURE:



2013-02-27 21:48:44.163 +00:00 0000006654


Administrator authentication failed. Wrong

password., ConfigVersionId=112,

AdminInterface=GUI,


AdminName=admin43,

OperationMessageText=Wrong password,,

Local Console Username/Password –

SUCCESS:



2013-12-04 23:48:25.635 +00:00 0000000482

60184 NOTICE Administrator-Login: A console



OperationMessageText=LOGIN ON tty1 BY

martinf43, AcsInstance=sec-sns-3495,

40


Events

Additional Audit

Record Contents


Local Console Username/Password –

FAILURE:



2013-12-04 23:41:23.895 +00:00 0000000353

60185 NOTICE Administrator-Login: A console

CLI user has attempted unsuccessfully to login,


OperationMessageText=FAILED LOGIN 1

FROM (null) FOR martinf43\, Authentication

failure, AcsInstance=sec-sns-3495,

SSH Username/Password – SUCCESS:



2013-07-18 21:34:15.419 +00:00 0000001210




OperationMessageText=Accepted password for

martinf43 from 10.21.167.148 port 8836 ssh2,


SSH Username/Password – FAILURE:



2013-02-28 23:29:12.703 +00:00 0000007738


CLI user has attempted unsuccessfully to login,


OperationMessageText=Failed password for

admin43 from 10.34.85.13 port 52959 ssh2,


SSH Public key authentication - SUCCESS:



2013-12-12 00:19:41.106 +00:00 0000000467




OperationMessageText=Accepted publickey for

foobar from 172.23.88.56 port 40780 ssh2,

AcsInstance=infratest-10-01-pap,

SSH Public key authentication - FAILURE:



41


Events

Additional Audit

Record Contents


013-12-12 00:12:49.407 +00:00 0000000453

60188 NOTICE Administrator-Login: An

attempted SSH connection has failed,


OperationMessageText=Received disconnect

from 172.23.88.56: 11: Closed due to user

request. [preauth], AcsInstance=infratest-10-01-

pap,

FIA_UAU_EXT.2 All use of the

identification and

authentication

mechanism.

Origin of the attempt

(e.g., IP address).



2013-03-12 23:06:15.252 +00:00 0000000210


Administrator authentication succeeded,

ConfigVersionId=4, AdminInterface=GUI,

Admin IPAddress=10.154.25.7,

AdminSession=2A8E11B8CBBEA152C1D7D7

8811A8D113, AdminName=admin43,

OperationMessageText=Administrator

authentication successful,

FIA_X509_EXT.1 Unsuccessful

attempt to validate

a certificate

Reason for failure Jul 2 00:32:00 ise3515

CISE_Internal_Operations_Diagnostics

0000000039 1 0 2016-07-02 00:32:00.620

+00:00 0000221659 34144 WARN System-

Management: ISE failed secure syslog

connection because of bad certificate in syslog

server certificate chain, ConfigVersionId=123,

DestinationPort=6514,

LoggerName=audit_server_python,

Jul 2 00:32:00 ise3515

CISE_Internal_Operations_Diagnostics

0000000040 1 0 2016-07-02 00:32:00.620

+00:00 0000221660 34133 WARN System-

Management: TLS handshake with syslog server


DestinationPort=6514,

LoggerName=audit_server_python,

Jul 2 00:32:00 ise3515


0000000041 1 0 2016-07-02 00:32:00.620

+00:00 0000221661 60156 NOTICE System-

Management: Secure communication

establishment with syslog server failed,

ConfigVersionId=123,


with syslog server at 172.23.88.23:6514 failed. ,

42


Events

Additional Audit

Record Contents


FMT_MOF.1(1)/Au

dit

Modification of the

behaviour of the

transmission of

audit data to an

external IT entity.

None. Initiation of the trusted channel:



2013-06-10 20:53:57.737 +00:00 0000000009

60155 NOTICE System-Management: Secure

communication with syslog server established,

ConfigVersionId=3,


with syslog server at 172.23.88.35:6514

established

FMT_MOF.1(1)/

TrustedUpdate

Any attempt to

initiate a manual

update

None. Viewed with: show logging application


2013-03-16 00:26:35.189 +00:00 0000000901

60108 NOTICE System-Management:

Application patch started, ConfigVersionId=4,

AdminInterface=CLI,


AdminName=system,

OperationMessageText=Patch Install initiated

with bundle - ise-patchbundle-1.2.0.671-

04.i386.tar.gz\, repo - tmplocalpatchinstallrepo,


FMT_MTD.1 All management

activities of TSF

data.

None Table 10: Auditable Administrative Events

FPT_STM.1 Changes to the

time.

The old and new values

for the time.

Origin of the attempt to

change time for success

and failure (e.g., IP

address).

[old time shown in preceding record timestamp]



013-12-05 22:52:05.956 +00:00 0000000644

58020 NOTICE System-Management: Clock

set, ConfigVersionId=4, FailureFlag=false,

RequestResponseType=final,

AdminInterface=CLI,


AdminName=martinf42,

OperationMessageText=Modified Clock to Dec

5 22:52:00 2013, AcsInstance=sec-sns-3415,

FPT_TUD_EXT.1 Initiation of

update; result of

No additional

information.



43


Events

Additional Audit

Record Contents


the update attempt

(success or failure)

2013-03-16 00:26:35.189 +00:00 0000000901

60108 NOTICE System-Management:

Application patch started, ConfigVersionId=4,

AdminInterface=CLI,


AdminName=system,

OperationMessageText=Patch Install initiated

with bundle - ise-patchbundle-1.2.0.671-

04.i386.tar.gz\, repo - tmplocalpatchinstallrepo,


Jul 2 00:55:11 ise3515


0000000019 1 0 2016-07-02 00:55:11.676

+00:00 0000000067 60126 NOTICE System-

Management: Application patch installation


AdminInterface=GUI,



OperationMessageText=Error while trying to

reboot , AcsInstance=ise3515

FTA_SSL_EXT.1 Any attempts at

unlocking of an

interactive session.

No additional

information.

In the TOE this is represented by login attempts

that occur after the timeout of an administrative

user.

See events for FIA_UIA_EXT.1 above.

FTA_SSL.3 The termination of

a remote session by

the session locking

mechanism.

No additional

information.

Client-Certificate Authentication Method



2013-12-11 21:31:21.210 +00:00 0000000204

51003 NOTICE Administrator-Login: Session

Timeout, ConfigVersionId=4,

AdminSession=Session Timedout,

AdminName=internetofeverything@windsurfer.

cisco.com,

Password Authentication Method:



2013-12-04 23:01:22.143 +00:00 0000000264





mailto:[email protected]


44


Events

Additional Audit

Record Contents


LDAPS to Active Directory External

Authentication Method:



2013-12-11 23:46:16.071 +00:00 0000000976




AdminName=internetofeverything@windsurfer.

cisco.com,

Console:



013-12-04 23:04:21.278 +00:00 0000000268

60116 NOTICE System-Management: ADEOS

CLI user has logged out, ConfigVersionId=4,

AdminInterface=CLI,


AdminName=system,

OperationMessageText=User martinf43 logged

out, AcsInstance=sec-sns-3495,

FTA_SSL.4 The termination of

an interactive

session.

No additional

information.



Password based authentication –

2013-02-28 06:15:34.322 +00:00 0000007114


Administrator logged off, ConfigVersionId=117,

AdminInterface=GUI,


AdminSession=01DECDD71A846CBEA32B7

A2D0614C891, AdminName=admin43,

OperationMessageText=User logged out,

FTP_ITC.1 Initiation of the

trusted channel.

Termination of the

trusted channel.

Failure of the

trusted channel

functions.

Identification of the

initiator and target of

failed trusted channels

establishment attempt.

Initiation of the trusted channel:



2013-06-10 20:53:57.737 +00:00 0000000009

60155 NOTICE System-Management: Secure

communication with syslog server established,

ConfigVersionId=3,


with syslog server at 172.23.88.35:6514

established

See events for FCS_TLSS_EXT.1 above.



45


Events

Additional Audit

Record Contents


FTP_TRP.1 Initiation of the

trusted channel.

Termination of the

trusted channel.

Failures of the

trusted path

functions.

Identification of the

claimed user identity.

See events for FCS_SSHS_EXT.1 and

FCS_TLSS_EXT.1 above.

Table 10: Auditable Administrative Events

Requirement Management Action to Log & Sample Log

FAU_GEN.1: Audit data generation Logging starting:

Viewed with: show logging application localStore/iseLocalStore.log tail:

2013-06-10 20:53:41.675 +00:00 0000000001 32000 INFO Logging: Started

logging component, Startup/Shutdown

Changing logging settings (CLI):


2013-12-18 21:23:34.379 +00:00 0000000377 60083 NOTICE System-

Management: Syslog Server configuration change, ConfigVersionId=5,

AdminInterface=CLI, AdminIPAddress=10.154.25.94,

AdminName=martinf43, OperationMessageText=Log level has been modified

to 7, AcsInstance=sec-sns-3495,

Changing logging settings (GUI):


2013-04-25 22:52:52.637 +00:00 0000001963 52001 NOTICE Configuration-

Changes: Changed configuration, ConfigVersionId=23, AdminInterface=GUI,

AdminIPAddress=172.23.88.43, AdminName=admin43,

ConfigChangeData=Local Storage Period = 363 days,

ObjectType=LogSetting, ObjectName=LocalStore,

OperationMessageText=LoggingSettings "LocalStore" has been edited

successfully.

Clearing logs:



changes: Deleted rolled-over local log file(s), ConfigVersionId=111,

AdminInterface=GUI, AdminIPAddress=172.23.88.43,

AdminName=admin43, OperationMessageText=LocalStore Logs deleted

Successfully,

FAU_STG_EXT.1: Protected audit

event storage

Configuration of syslog receipt settings:


46



Changes: Added configuration, ConfigVersionId=24, AdminInterface=GUI,

AdminIPAddress=172.23.88.15, AdminName=martinf15,

ConfigChangeData=Object created:\\\,Port = 6514\\\,Facility Code =

LOCAL6\\\,Length = 1024\\\,Description = ISE Primary Monitoring

Node\\\,Include Alarms = FALSE\\\,Buffer Message = TRUE\\\,Buffer Size =

100\\\,Reconnect Timeout = 30\\\,Certificate = CN=windsurfer-SURFER-AD-

01-CA DC=windsurfer\, DC=cisco\, DC=com\\\,Validation = FALSE\\\,,

ObjectType=LogTarget, ObjectName=PriMonitorTLSSyslog,

OperationMessageText=LoggingTargets "PriMonitorTLSSyslog" has been

created successfully. ,





ConfigChangeData=Object modified:\\\, Log Severity Level = INFO\\\,Local

Logging = enable\\\,Assigned Targets =

\{LogCollector\,LogCollector2\,PriMonitorTLSSyslog\},

ObjectType=Category, ObjectName=Administrative and Operational Audit,

OperationMessageText=LoggingCategories "Administrative and Operational

Audit" has been edited successfully.,





ConfigChangeData=Object modified:\\\,Port = 20514\\\,Facility Code =

LOCAL6\\\,Length = 1024\\\,Description = Syslog Target for Log

Collector\\\,Include Alarms = FALSE\\\,, ObjectType=LogTarget,

ObjectName=LogCollector, OperationMessageText=LoggingTargets

"LogCollector" has been edited successfully.,





ConfigChangeData=Object modified:\\\,Port = 20514\\\,Facility Code =

LOCAL6\\\,Length = 1024\\\,Description = Second Syslog Target for Log

Collector\\\,Include Alarms = FALSE\\\,, ObjectType=LogTarget,

ObjectName=LogCollector2, OperationMessageText=LoggingTargets

"LogCollector2" has been edited successfully.,

FCS_SSHS_EXT.1: SSH Configuration of SSH settings


2013-04-30 01:45:22.396 +00:00 0000002151 60086 NOTICE System-

Management: ADEOS SSH Service configuration change,

ConfigVersionId=4, AdminInterface=CLI, AdminIPAddress=127.0.0.1,

47


AdminName=admin43, OperationMessageText=Service sshd configuration

has been modified to OFF, AcsInstance=sec-sns-3495,


2013-04-30 01:47:58.033 +00:00 0000002154 60086 NOTICE System-



AdminName=admin43, OperationMessageText=Service sshd configuration

has been modified to ON, AcsInstance=sec-sns-3495,


2013-12-05 05:37:12.663 +00:00 0000000786 60086 NOTICE System-



AdminName=foobar, OperationMessageText=SSHD key-exchange algorithm

has been set to diffie-hellman-group14-sha1, AcsInstance=sec-sns-3495,

FCS_TLSS_EXT.1: TLS Server

Protocol / FCS_TLSC_EXT.1: TLS

Client Protocol

Configuration of TLS: including certificates:



Changes: Added configuration, ConfigVersionId=71,AdminInterface=GUI,


ConfigChangeData=Self-signed certificate was generated\\\, Key Length =

2048\\\, Name = ISE admin Generated Self Signed Certificate for Auditable

Event test case\\\,Use for protocols = HTTPS\\\, Additional details:\\\, Issued

To = sec-sns-3495.cisco.com\\\, Issued By = sec-sns-3495.cisco.com\\\,

Subject = \\\,DC=com\\\,DC=cisco\\\,DC=selfsigned\\\,CN=sec-sns-

3495.cisco.com\\\, Serial Number = 5175d9f800000000811821669147ec5f\\\,

Valid From = Tue Apr 23 00:46:48 UTC 2013\\\, Valid To = Fri Apr 22

00:46:48 UTC 2016, ObjectType=CertificateGeneration,

ObjectName=GenerateCertificate, UserAdminFlag=Admin,

OperatorName=admin43, AcsInstance=sec-sns-3495

48


FIA_PMG_EXT.1: Password

management

Setting length requirement for passwords:


2013-04-23 01:21:44.551 +00:00 0000000101 52001 NOTICE

Configuration-Changes: Changed configuration, ConfigVersionId=6,

AdminInterface=GUI, AdminIPAddress=10.34.85.15, AdminName=admin43,

ConfigChangeData=object updated:

DigitCharsRequiredInPassword=true\\\,AllowUserNameInPassword=false\\

\,isLockoutEnabled=true\\\,AdminGuiSessionTimeout=60\\\,UpperCaseAlpha

CharsRequiredInPassword=true\\\,LockORSuspend=disable\\\,noOfLoginFaile

dAttempts=5\\\,PasswordPolicyEmailContent=This account has been locked.

For this account to become unlocked\, please contact your IT

helpdesk.\\\,AllowCharsRepeatedFourOrMoreTimesInPassword=true\\\,MaxS

uccessiveFailedAttemptsBeforeAdminDisabled=5\\\,DisableAdminAfterPerio

dOfInactivity=false\\\,MaxGenerationsPasswordUniqueAcross=3\\\,COUNT=

0\\\,MaxDaysForPasswordExpiration=60\\\,DisplayPasswordExpirationRemin

der=true\\\,MaxDaysForPasswordExpirationReminderDisplay=30\\\,LowerCas

eAlphaCharsRequiredInPassword=true\\\,PasswordChangeDelta=3\\\,Maximu

mPasswordLength=25\\\,Description=NSF Administrator Password

Configuration\\\,NoPreviousPasswordChk=true\\\,adminLockoutTime=15\\\,Di

sableUserIfPasswordNotChangedAfterExpiration=true\\\,DisableAdminAfterS

uccessiveFailedAttempts=false\\\,AllowCiscoInPassword=true\\\,SpecialChars

RequiredInPassword=false\\\,MaxDaysOfInactivityBeforeAdminDisabled=0\\\

,MaxDaysOfInactivityBeforePasswordChange=0\\\,RequirePasswordChangeA

fterInactivity=false\\\,AllowIllegalStringInPassword=true\\\,MinimumPasswor

dLength=15\\\,PasswordChangeDeltaChk=false, ObjectType=Password

Policy, ObjectName=NSFAdminPasswordConfig,

Component=Administration, ObjectInternalID=3f91dab0-a7c7-11e2-82cb-

0050568e0196,

FIA_UIA_EXT.1: User identification

and authentication

Logging into ISE:


2013-03-12 23:06:15.252 +00:00 0000000210 51001 NOTICE Administrator-

Login: Administrator authentication succeeded, ConfigVersionId=4,

AdminInterface=GUI, Admin IPAddress=10.154.25.7,

AdminSession=2A8E11B8CBBEA152C1D7D78811A8D113,

AdminName=admin43, OperationMessageText=Administrator authentication

successful,

FMT_SMF.1: Specification of

management functions

Configuring users with local/ remote access to ISE:


2013-06-26 02:17:09.886 +00:00 0000007223 60182 NOTICE System-

Management: RSA key configuration has been modified, ConfigVersionId=56,

AdminInterface=CLI, AdminIPAddress=10.34.85.15, AdminName=foobar,

OperationMessageText=Authorized key

17:75:c5:99:e9:41:78:32:0b:a7:86:c4:0f:8b:4a:c1 for user foobar imported,



49


2013-06-25 23:37:00.060 +00:00 0000006982 60084 NOTICE System-

Management: ADEOS

CLI user configuration change, ConfigVersionId=56, AdminInterface=CLI,


OperationMessageText=Added user foobar with role: Admin state: Enabled

successfully, AcsInstance=infratest-10-01-pap,


013-06-25 22:09:41.229 +00:00 0000006913 60084 NOTICE System-

Management: ADEOS CLI user configuration change, ConfigVersionId=56,

AdminInterface=CLI, AdminIPAddress=10.34.85.15, AdminName=admin15,

OperationMessageText=Added user clileastprivilege with role: User state:

Enabled successfully, AcsInstance=infratest-10-01-pap,

Configuring the banner displayed prior to authentication:

See FTA_TAB.1 row below.

Configuring any cryptographic functions: See FCS rows above.

FMT_SMR.2: Restrictions on Security

roles

Configuring administrative users with specified roles (Add administrative

user):





ConfigChangeData=object created:

Name=Tnt1666519c\\\,CredentialPassword=*************\\\,isAlarmEmaila

ble=False\\\,Description=for test

Tnt1666519c\\\,SecurID=False\\\,nsfUserTypeRole=ADMIN_ONLY\\\,Lastna

me=1666519c\\\,Firstname=Tnt\\\,isEmailInHtmlFormat=False\\\,AllowPassw

ordChangeAfterLogin=false, ObjectType=Administrators,

ObjectName=Tnt1666519c, Component=Administration,

ObjectInternalID=05495480-9653-11e2-ab0f-5057a8e1cdac,

Configuring administrative users with specified roles (Delete administrative

user):



Changes: Deleted configuration, ConfigVersionId=73, AdminInterface=GUI,


ConfigChangeData=object deleted: Name=Tnt1666519c,

ObjectType=Administrators, ObjectName=Tnt1666519c,

Component=Administration, ObjectInternalID=05495480-9653-11e2-ab0f-

5057a8e1cdac,

FPT_STM.1: Reliable time stamps

Manual changes to the system time:


50


013-12-05 22:52:05.956 +00:00 0000000644 58020 NOTICE System-

Management: Clock set, ConfigVersionId=4, FailureFlag=false,

RequestResponseType=final, AdminInterface=CLI,


OperationMessageText=Modified Clock to Dec 5 22:52:00 2013,


FPT_TUD_EXT.1: Trusted update Software updates:


2013-03-16 00:26:36.194 +00:00 0000000902 60154 NOTICE System-

Management: Application patch install has completed successfully,


AdminName=system, OperationMessageText=Patch (04) installation

successful, AcsInstance=sec-sns-3495,


2013-03-16 00:26:35.189 +00:00 0000000901 60108 NOTICE System-

Management: Application patch started, ConfigVersionId=4,

AdminInterface=CLI, AdminIPAddress=127.0.0.1, AdminName=system,

OperationMessageText=Patch Install initiated with bundle - ise-patchbundle-

1.2.0.671-04.i386.tar.gz\, repo - tmplocalpatchinstallrepo, AcsInstance=sec-

sns-3495,

FTA_SSL_EXT.1: TSF-initiated

session locking

Setting the console timeout value:


0000000106 1 0 2013-12-18 20:42:55.388 +00:00 0000000347 60189

NOTICE System-Management: Terminal Session timeout has been modified,


AdminName=martinf43, OperationMessageText=Terminal session-timeout is

set to 0, AcsInstance=sec-sns-3495,

FTA_SSL.3: TSF-initiated termination Setting GUI timeout value:





ConfigChangeData=object updated:

SessionTimeout=7,ObjectType=SessionTimeout,

ObjectName=SessionTimeout,

Component=Administration,ObjectInternalID=9f542b60-a290-11e2-8c31-

0050568e0196,

2013-07-12T20:12:38.066693+00:00 infratest-10-01-pap ADE-

SERVICE[3947]: [29669]:[info] utils: cars_shellcfg.c[53] [admin15]: Invoked

carsSetConsoleIdleSessionTimeout timeout=3

Viewed with: show logging system ade/ADE.log tail:

51


2013-07-12T20:12:38.066998+00:00 infratest-10-01-pap ADE-

SERVICE[3947]: [29669]:[info] utils: vsh_root_stubs.c[2122] [admin15]:

terminal session-timeout set success

FTA_SSL.4: User-initiated termination Viewed with: show logging application localStore/iseLocalStore.log tail:


Login: Administrator logged off, ConfigVersionId=117, AdminInterface=GUI,


AdminSession=01DECDD71A846CBEA32B7A2D0614C891,

AdminName=admin43, OperationMessageText=User logged out,


2013-12-05 02:25:40.076 +00:00 0000000631 60116 NOTICE System-

Management: ADEOS CLI user has logged out, ConfigVersionId=4,

AdminInterface=CLI, AdminIPAddress=127.0.0.1, AdminName=system,

OperationMessageText=User martinf43 logged out, AcsInstance=sec-sns-

3495,

FTA_TAB.1: Default TOE access

banners

Configuring the GUI banner displayed prior to authentication:





ObjectType=GUIPreLoginBanner, ObjectName=GUIPreLoginBanner,

OperationMessageText=GUI Pre login banner has been configured,


Configuring the CLI banner displayed prior to authentication:





ObjectType=CLIPreLoginBanner, ObjectName=CLIPreLoginBanner,

OperationMessageText=CLI Pre login banner has been configured,


FTP_TRP.1: Trusted path Connecting to ISE with HTTPS:



Login: Administrator authentication succeeded, ConfigVersionId=4,

AdminInterface=GUI, Admin IPAddress=10.154.25.7,

AdminSession=2A8E11B8CBBEA152C1D7D78811A8D113,

AdminName=admin43, OperationMessageText=Administrator authentication

successful

Connecting to ISE with SSH:


52



Login: A SSH CLI user has successfully logged in, ConfigVersionId=5,

AdminInterface=CLI, OperationMessageText=Accepted password for

martinf43 from 10.21.167.148 port 8836 ssh2, AcsInstance=sec-sns-3495,

5.1 Viewing Audit Records

From Command Line Interface:

1. Successfully authenticate to the Command Line Interface (CLI) as an admin-role user.

2. Run the command shown above each sample log in Table 10 and 11 above (i.e. ‘show

logging application localStore/iseLocalStore.log tail’).

From the Administration GUI:

The iseLocalStore.log can be remotely downloaded by running the following steps:

1. Successfully authenticate to the Administration GUI as a SuperAdmin role user.

2. Navigate to the Menu: Operations > Download Logs

53

3. On the left-side navigate to the ISE node where the audit event was generated in

iseLocalStore.log:

4. Click the ‘Debug Logs’ tab in the content area:

54

5. Scroll down the list of log files until the iseLocalStore.log filename appears. Click on the

iseLocalStore.log link.

55

6. The iseLocalStore.log file may be downloaded or viewed with any external program.

5.2 Deleting Audit Records

5.2.1 Local Logs Storage Settings and Deletion

From the Administration > System > Logging > Local Log Settings page a System admin or a

Super admin is able to configure the storage period for logs in days and delete the existing log

file. The administrator may delete all of the rolled over log files by the "Delete Local Logs Now"

selection in the administration application.

After the configured storage period of time has passed for logs the events exceeding the age are

automatically deleted.

TCP syslog buffers events in a local file that is limited to a total of 100MB. The limit is specified

as a file size, not a specific number of events. Overwriting is handled by wrapping to the

beginning of the file (overwriting the oldest events). The value of 100MB is configurable and the

56

lowest value for the configuration is 10 MB and the allowed increments need to be whole

numbers.

5.2.2 External Platform Logs Storage Settings and Deletion

Logs received from external platforms, including other iterations of ISE, are stored in the M&T

(Monitoring and Troubleshooting) log on the ISE platform. To configure log storage settings and

clear these logs, login to the command line interface (CLI) of the ISE Monitoring persona node

as an admin-role user. Then run the EXEC level command application configure ise followed

by entering selection 9 to Purge M&T Operational Data. Then enter any legal number of days to

retain data (1-90) and confirm request with y (yes) response. See example below for context.

hostname/username# application configure ise

Selection ISE configuration option

[1]Reset Active Directory settings to defaults

[2]Display Active Directory settings

[3]Configure Active Directory settings

[4]Restart/Apply Active Directory settings

[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings

[6]Enable/Disable ERS API

[7]Reset M&T Session Database

[8]Rebuild M&T Unusable Indexes

[9]Purge M&T Operational Data

[10]Reset M&T Database

[11]Refresh M&T Database Statistics

[12]Display Profiler Statistics

[13]Exit

9

Enter number of days to be retained in purging MnT Operational data [between 1 to 90 days]

For instance, Entering 20 will purge MnT Operational data older than 20 days

Enter 'exit' to return to the main menu without purging

Enter days to be retained: 90

You are about to purge M&T data older than 90 from your database.

Are you sure you want to proceed? y/n [n]: y

M&T Operational data older than 90 is getting removed from database

57

6. Modes of Operation An ISE has several modes of operation, these modes are as follows:

Booting – while booting, ISE drops all network traffic until the image and configuration has

loaded. This mode of operation automatically progresses to the Normal mode of operation. If a

special image has been loaded on the system (as received from Cisco TAC), then the system

goes from booting to Rescue Admin CLI.

Rescue Admin CLI - booting to the rescue admin CLI password recovery image (on an image

received from Cisco TAC) allows modification of a CLI administrator user in the event the

password is forgotten. Once the password is reset, the ISE reloads and enters booting mode.

Safe Mode – Once ISE has booted, a CLI admin-role user can put the device into Safe Mode by

issuing the following commands: ‘applicaton stop ise’ followed by ‘application start ise safe’.

This "safe mode" exists in the event a customer misconfigures their access controls that prevents

them from being able to administer ISE from the Administration console GUI. Once the

configuration has been corrected in safe mode, the ISE reloads and enters booting mode.

Normal - The ISE image and configuration is loaded and the TOE is operating as configured. It

should be noted that all levels of administrative access occur in this mode and that all ISE based

security functions are operating. This is the expected mode of operation for the TOE.

Following operational error ISE reboots (once power supply is available) and enters booting

mode.

ISE also has two modes of operation in respect to cryptographic functionality:

Non-FIPS mode – The TOE ships in non-FIPS mode, which does not place any restrictions on

the cryptography used on the system.

FIPS mode – In FIPS mode, the ISE utilizes the cryptography described in [ [5] for all claimed

cryptographic operations. When FIPS mode is enabled, the Cisco ISE administrator interface

displays a FIPS mode icon to the left of the node name in the upper-right of the page. Along with

Normal mode, this is the expected mode of operation for the TOE.

ISE uses a cryptographic module, that runs a suite of self-tests during the TOE initial start-up to

verify its correct operation. These tests check the integrity of the code, and the correct operation

of each cryptographic algorithm and method used (i.e. AES-CBC, SHA-1, etc.) If any of the tests

fail, the administrative web-based UI will not be accessible, and the security administrator will

for a limited time window be able to login to the CLI on the KVM (keyboard, video, mouse)

console to run the CLI command – “show application status ise” to determine that services have

been disabled because “FIPS INTEGRITY CHECK HAS FAILED”. Eventually the

administrator will be unable to login to the CLI even on the KVM as all services are shutdown

including the ability to login to the CLI. After authenticating, a fatal error is displayed and the

user is only allowed to press <Enter> to logout and no other actions can be performed. The error

message is: “ERROR: ISE SERVICES HAVE BEEN DISABLED BECAUSE FIPS

58

INTEGRITY CHECK HAS FAILED! EITHER REIMAGE FROM ISE INSTALLATION

MEDIA, OR CONTACT CISCO TECHNICAL SUPPORT CENTER FOR INSTRUCTIONS

ON DIAGNOSING THE FAILURE. Press <Enter> to logout”.

59

7. Security Measures for the Operational Environment

Proper operation of the TOE requires functionality from the environment. It is the responsibility

of the Security administrator of the TOE to ensure that the Operational Environment provides the

necessary functions, and adheres to the environment security objectives listed below. The

environment security objective identifiers map to the environment security objectives as defined

in the Security Target.

Table 11: Operational Environment Security Measures

Environment Security

Objective

Operational Environment

Security Objective Definition

Privileged and Semi-privileged

administrator responsibility

OE.PHYSICAL Physical security, commensurate

with the value of the TOE and the

data it contains, is provided by the

environment.

Administrators must ensure the TOE is

installed and maintained within a secure

physical location. This can include a

secured building with key card access or

within the physical control of an

authorized administrator in a mobile

environment.

OE.NO_GENERAL_PURPOSE There are no general-purpose

computing capabilities (e.g.,

compilers or user applications)

available on the TOE, other than

those services necessary for the

operation, administration and

support of the TOE.

Administrators will make sure there are

no general-purpose computing

capabilities (e.g., compilers or user

applications) available on the TOE.

OE.NO_THRU_TRAFFIC_PROT

ECTION

The TOE does not provide any

protection of traffic that traverses

it. It is assumed that protection of

this traffic will be covered by

other security and assurance

measures in the operational

environment.

Administrators need to ensure that the

security provided by the TOE is

complemented by other security

measures in the operational environment

that provides protection to the traffic

traversing the TOE.

OE.TRUSTED_ADMIN TOE Administrators are trusted to

follow and apply all administrator

guidance in a trusted manner.

Administrators must be properly trained

in the usage and proper operation of the

TOE and all the provided functionality

per the implementing organization’s

operational security policies. These

administrators must follow the provided

guidance.

60

Environment Security

Objective

Operational Environment

Security Objective Definition

Privileged and Semi-privileged

administrator responsibility

OE.UPDATES The TOE firmware and software

is updated by an administrator on

a regular basis in response to the

release of product updates due to

known vulnerabilities.

Administrators ensure that the TOE is

updated with the latest firmware and

software patches to keep it secure from

threats to known vulnerabilities.

OE.ADMIN_CREDENTIALS_S

ECURE

The administrator’s credentials

(private key) used to access the

TOE must be protected on any

other platform on which they

reside.

Administrators need to ensure to keep

their credentials used to access the TOE,

secure and protected

61

8. Related Documentation Use this document in conjunction with the ISE 2.0 documentation at the following

location:

http://www.cisco.com/

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

8.1 World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the

following sites:

http://www.cisco.com

http://www-china.cisco.com

http://www-europe.cisco.com

8.2 Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco Direct Customers can order Cisco Product documentation from the

Networking Products MarketPlace:

http://www.cisco.com/web/ordering/root/index.html

Registered Cisco.com users can order the Documentation CD-ROM through the online

Subscription Store:

http://www.cisco.com/go/subscription

Non-registered Cisco.com users can order documentation through a local account

representative by calling Cisco corporate headquarters (California, USA) at 408 526-

7208 or, in North America, by calling 800 553-NETS (6387).

8.3 Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit

technical comments electronically. Click Feedback in the toolbar and select

Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to [email protected].

To submit your comments by mail, for your convenience many documents contain a

response card behind the front cover. Otherwise, you can mail your comments to the

following address:




http://www-china.cisco.com/

http://www-europe.cisco.com/

http://www.cisco.com/cgi-bin/order/order_root.pl

http://www.cisco.com/cgi-bin/order/order_root.pl



62

Cisco Systems, Inc., Document Resource Connection

170 West Tasman Drive

San Jose, CA 95134-9883

We appreciate your comments.

9. Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and

partners can obtain documentation, troubleshooting tips, and sample configurations from

online tools. For Cisco.com registered users, additional troubleshooting tools are

available from the TAC website.

Cisco.com is the foundation of a suite of interactive, networked services that provides

immediate, open access to Cisco information and resources at anytime, from anywhere in

the world. This highly integrated Internet application is a powerful, easy-to-use tool for

doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners

streamline business processes and improve productivity. Through Cisco.com, you can

find information about Cisco and our networking solutions, services, and programs. In

addition, you can resolve technical issues with online technical support, download and

test software packages, and order Cisco learning materials and merchandise. Valuable

online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized

information and services. Registered users can order products, check on the status of an

order, access technical support, and view benefits specific to their relationships with

Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com



Documents

Cisco Identity Services Engine (ISE) - NIAP CCEVS · 1 Cisco Identity Services Engine (ISE) Common Criteria Operational User Guidance And Preparative Procedures Version 0.5 January